Fending off an attack

Massive Distributed Denial of Service (DDoS) attacks that target data centers, like last fall’s Dyn cyberattack, have the potential to disrupt internet-related services on a large scale and affect tens of millions of people. These attacks are especially worrisome for any enterprise relying on “as-a-service”, which begets the need to ensure as-a-service vendors can effectively respond to DDoS onslaughts. Jim Hurley, a distinguished analyst at technology research and advisory firm ISG, shares his insights on what enterprises using cloud-based as-a-services can do to work with their providers and reduce risks to their business from similar attacks.a

Thinkstock

Who has responsibility?

“At the end of the day, the business risks of unplanned downtime rest with the enterprise,” Hurley says. Despite this, outages like the one that affected Dyn and millions of internet users simultaneously are quickly noticed and reported publicly. Most often, customers are forgiving in situations like these. Ultimately though, when it comes to internet-routing services, the accountability and responsibility for uptime and the availability of as-a-service services rests with the service provider: and accountability to maintain business continuity and the integrity of data should be contained in service-level agreements (SLA).

Thinkstock

Protect yourself

Most service providers will have SLAs with normal out-of-bounds clauses, such as, We are not responsible for acts of God, acts of war, and internet services beyond our control. The service could be the routing of internet traffic, managed firewall services, or it could be mobile phone data, or IaaS, PaaS, SaaS or any other service delivered over the internet. For these reasons, enterprises should evaluate the criticality of services and make backup plans and backup plans to backup plans if necessary.

Thinkstock

Get legal advice

It is common for legal counsel to review and approve SLA contractual responsibilities and this is one area – who is responsible for/not responsible for internet outages and other exigencies – that we strongly recommend enterprises have reviewed by counsel. There is a difference between your internet or cloud provider going down and your customer being unaffected, your inability to deliver, and your service provider being unable to deliver. Make sure you cover the bases and review it with business leaders and counsel.

What’s the enterprise’s responsibility?

The enterprise’s responsibility is anything that is within their control. For services within the enterprise’s control the enterprise should ensure appropriate SLAs are in place, along with appropriate notification, backup, recovery and service resumption services.

“Acts of God”

Almost all contracts from providers classify the type of DDoS attack that hit Dyn as an “act of God” beyond their control and therefore outside the scope of the contract. Some hosting providers offer custom bespoke as-a-service contracts from insurance carriers that reassign insurance proceeds from a reinsurer in the event of acts of God. Commercial providers like Amazon Web Services and Microsoft Azure don’t, as standard practice, offer reinsurance for acts of God. Such terms, if they exist, are probably limited, and where they exist, may come at a higher price to cover the profit margins of the risks being taken by the reinsurer.

Thinkstock

Standby services

Standard business resumption services – at a price – typically include alternative warm/hot standbys across geographically dispersed locations. There is obviously a price to pay because there is a doubling of infrastructure, additional labor, plant, equipment, energy, and labor to restore services from online from immediately to anything within some pre-determined time period. Moreover, additional costs for such readiness may include fees for data duplication and recovery. Such additional expenses may range from lower cost weekly backups to higher-priced replicated databases and communication services that are kept alive – and tested – routinely.